The Hacker News — Cyber Security, Hacking, Technology News

A critical vulnerability has been discovered in the widely used Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users' computers and take control of them.

The vulnerability has been uncovered by Google's Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attack—just 40 days after the initial report.

Usually, Project Zero team discloses vulnerabilities either after 90 days of reporting them to the affected vendors or until the vendor has released a patch.

However, in this case, the Project Zero researchers disclosed the vulnerability 50 days prior to the actual time limit because Transmission developers failed to apply a ready-made patch provided by the researchers over a month ago.

"I'm finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won't reply, but let's see," Ormandy said in a public report published Tuesday.

Proof-of-Concept Exploit Made Publicly Available

The PoC attack published by Ormandy exploits a specific Transmission function that lets users control the BitTorrent app with their web browser.

Ormandy confirmed his exploit works on Chrome and Firefox on Windows and Linux (Fedora and Ubuntu) and believes that other browsers and platforms are also vulnerable to the attack.

Transmission BitTorrent app works on server-client architecture, where users have to install a daemon service on their systems in order to access a web-based interface on their browsers locally.

The daemon installed on the user system then interacts with the server for downloading and uploading files through the browser using JSON RPC requests.

Ormandy found that a hacking technique called the "domain name system rebinding" attack could successfully exploit this implementation, allowing any malicious website that user visits to execute malicious code on user's computer remotely with the help of installed daemon service.

Here's How the Attack Works:

The loophole resides in the fact that services installed on localhost can be manipulated to interact with third-party websites.

"I regularly encounter users who do not accept that websites can access services on localhost or their intranet," Ormandy wrote in a separate post, which includes the patch.

"These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website "transfers" execution somewhere else. It does not work like that, but this is a common source of confusion."

Attackers can exploit this loophole by simply creating a DNS name they're authorized to communicate with and then making it resolve to the vulnerable computer's localhost name. Here's how the attack works:

A user visits malicious site (http://attacker.com), which has an iframe to a subdomain controlled by the attacker.

The attacker configures their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address controlled by the attacker) with a very low TTL.

When the browser resolves to 123.123.123.123, it serves HTML that waits for the DNS entry to expire (or force it to terminate by flooding the cache with lookups), then it has permission to read and set headers.

Ormandy said the vulnerability (CVE-2018-5702) was the "first of a few remote code execution flaws in various popular torrent clients," though he did not name the other torrent apps due to the 90-day disclosure timeline.

A fix is expected to be released as soon as possible, a development official with Transmission told ArsTechnica, without specifying an actual date.

Torrentz.eu was a free, fast and powerful meta-search engine that hosted no torrents of its own, but combined results from dozens of other torrent search engine sites including The Pirate Bay, Kickass Torrents and ExtraTorrent.

The meta-search engine has announced "farewell" to its millions of torrent users without much fanfare, suddenly ceasing its operation and disabling its search functionality.

At the time of writing, the Torrentz.eu Web page is displaying a message that reads in the past tense:

"Torrentz was a free, fast and powerful meta-search engine combining results from dozens of search engines."

When try to run any search or click any link on the site, the search engine refuses to show any search result, instead displays a message that reads:

"Torrentz will always love you. Farewell."

Launched back in 2003, Torrentz has entertained the torrent community for more than 13 years with millions of visitors per day.

However, today, the popular meta-search engine has shut down its operation from all Torrentz domains, including the main .EU domain (both HTTP and HTTPS version) as well as other backups such as .ME, .CH, and .IN.

Although many copyright holders were not happy with the site with both RIAA and MPAA have reported the site to the U.S. Government in recent years, says TorrentFreak, there is no news of any arrest or legal takedown of the site in this case.

Still, it would be fair enough to wait for an official announcement from the site owners.

The Pirate Bay — an infamous Torrent website predominantly used to share copyrighted material such as films, TV shows and music files, free of charge — went dark from the internet on Tuesday after Swedish Police raided the site's server room in Stockholm and seized several servers and other equipment.

The piracy site knocked offline worldwide on Tuesday morning and remained unavailable for several hours, but the site appeared back online in the late hours with a new URL hosted under the top-level domain for Costa Rica.

Paul Pintér, national coordinator for IP enforcement for the Swedish police, issued only a brief statement on Tuesday, saying that the operation was "a crackdown on a server room in Greater Stockholm" that was "in connection with violations of copyright law."

The raid was also confirmed by Fredrik Ingblad, a prosecutor who specializes in file-sharing cases on behalf of the Swedish government, although he would not share further details or even confirm that The Pirate Bay was the target.

"There were a number of police officers and digital forensics experts there," Ingbland told Sveriges Radio (SR), the local media. "This took place during the morning and continued until this afternoon. Several servers and computers were seized, but I cannot say exactly how many. I can't say exactly what the crime is yet."

However, this is not first time when the site went dark, The Pirate Bay has previously been shut down number of times and had its domain seized, prompting the BitTorrent site to change its top level domain many times. Back in September, The Pirate Bay claimed that it ran the notorious website on 21 "raid-proof" virtual machines, which means if one location is raided by the police, the site would hardly took few hours to get back in action.

The raid comes almost a month after the arrest of Fredrik Neij, the third and final founder of The Pirate Bay, at the border between Laos and Thailand on November 3. He was convicted by Swedish courts for sharing copyrighted material more than five years ago.

Not just The Pirate Bay, the torrent portal's forum, Suprbay.org, image-hosting website Bayimg.com, and text-hosting website Pastebay.net, along with a number of other torrent-related sites including EZTV, Zoink, Torrage and the Istole tracker, have also been knocked offline in this most recent crackdown on the sharing of copyrighted material.

It has also been reported that at least one man may have been detained by police in connection with this Tuesday's raid, according to file-sharing news site TorrentFreak. But, Fredrik Ingland did not confirm or deny that one person had been detained.

Since its launch in 2003, The Pirate Bay (TPB) becomes the world's largest torrent tracker site which handles requests from millions of users everyday and is in the top 100 most visited websites on the Internet. Generally, it is infamous for potentially hosting illegal contents on its website.

Following the hack, hackers leaked five unreleased Sony movies to Torrent file-sharing website during Black Friday. It's still not clear whether both the incident back to back with Sony Pictures belongs to same group of hackers or not, but here's what you need to know about the breach:

1. FBI MALWARE WARNING AFTER SONY PICTURES HACK

The U.S. Federal Bureau of Investigation (FBI) warned businesses that cyber criminals have used malicious software to launch destructive cyber-attacks in the United States, following the last week's massive data breach at Sony Pictures Entertainment, in which four unreleased films were stolen and pirate-shared.

In a five-page confidential 'flash' warning, FBI recommended users to strengthen the protection of their information systems and limit access to databases. But when asked if the same malicious software had been used against the Sony Pictures hack, FBI declined to comment.

This new "destructive" malware has capability to overwrite a victim host's master boot record and all data files. "The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," according to Reuters who independently obtained the report.

2. IS NORTH KOREA BEHIND THE CYBER ATTACK ON SONY PICTURES ?

As we reported earlier, Sony Pictures is investigating the possibility that hackers working on behalf of North Korea were behind the hacking incident.

Sony hack is the payback for upcoming Kim Jong assassination comedy film. It is because the hack comes just a month before the scheduled release of Sony's upcoming comedy "The Interview," a comedy about two journalists who are recruited by the CIA to assassinate North Korean leader Kim Jong Un.

The film became a source of international controversy, and the Pyongyang government denounced the film as "undisguised sponsoring of terrorism, as well as an Act of War" in a letter to U.N. Secretary-General Ban Ki-moon in June.

But pointing finger towards North Korea without any strong evidence would be wrong. So, we still won't confirm whether its cyber war by North Korea or some other unknown, sophisticated hacker.

3. FIVE MOVIE LEAKED LINKED TO SONY PICTURES

Following the last weeks cyber-attack on Sony Pictures Entertainment, high-quality versions of five newest films – Annie, Fury, Still Alice, Mr. Turner and To Write Love on Her Arms – distributed by Sony Pictures leaked online during Black Friday.

Four of the leaked films have yet to hit the big screen. The remake of the 1982 released "Annie" is Sony's next big film, schedule to hit theaters on Dec. 19 with new stars Quvenzhané Wallis, Cameron Diaz and Jamie Foxx.

Two other new films, "Mr. Turner" and "Still Alice" are also considered possible Oscar contenders for their lead actors Timothy Spall and Julianne Moore.

4. SONY HIRED FIREEYE FOR INVESTIGATION

Sony Pictures Entertainment has hired Mandiant incident response team of FireEye Inc to help clean-up the damage caused by the huge cyber attack on its network, which forced its employees to put pen to paper over the last few weeks.

In addition to the FireEye, FBI is also investigating the matter and is looking into the devastating leak of four of its upcoming movies, although it has not been confirmed that the leak of all the films came from the same data breach.

Mandiant is a well-known security incident response team of FireEye which deals in forensic analysis, repairs and network restoration. Mandiant is the same team that helped in the catastrophic security breach experienced by one of the world's largest retailer Target in 2013.

The gaming network also suffered a more severe hack in 2011, which led to the exposure of 77 million PlayStation and Qriocity accounts along with 25 million Sony Online Entertainment accounts, bringing the total to more than 100 million in one of the largest data breaches ever. The hack cost Sony 14 billion yen ($172 million), and it took the networks -- for downloading and playing games, movies, and music -- offline for about a month before bringing them back up.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

The Search Engine giant is not going to spare the Pirated content providing sites. Google is ready to fulfill its commitment to downgrade the search rankings of ‘notorious’ piracy sites globally that often rank above legal and commercial sites.

Google and the Copyright holders are, to some extent, enemies for years, but in Google's ongoing anti-piracy efforts, the company will fight copyright infringement and assure rights holders that their contents will be appeared at the top of its search results and that the search made up only a small portion of pirate traffic.

DOWNGRADE PIRATED SITES

Google is preparing major tweaks to its search engine, which you’ll be able to see this week, to ensure that the ‘notorious’ piracy sites that enable the downloading or streaming of pirated contents are out of search results when people search for music, movies and other copyrighted content.

The announcement of the algorithm update came as Google updated “How Google Fights Piracy” report to show that how Google is trying to help combat piracy. The report also shows that Google-owned YouTube paid out $1 billion to copyright holders in a program that allows them to monetize unauthorized use of their copyrighted material uploaded to the video-sharing site.

GOOGLE’S ANTI-PIRACY EFFORTS SINCE 2012

The move is in response to a previous promise made by the company in 2012, on which legal music and movie industries were claiming Google that it didn’t follow through on the commitment it made. But with this round of efforts to combat piracy, Google says the results will be noteworthy.

"In August 2012 we first announced that we would downrank sites for which we received a large number of valid DMCA notices," Google’s senior copyright counsel Katherine Oyama explained on Friday in a blog post. "We’ve now refined the signal in ways we expect to visibly affect the rankings of some of the most notorious sites."

"We’ve now refined the signal in ways we expect to visibly affect the rankings of some of the most notorious sites. This update will roll out globally starting next week."

CHANGES IN AD TWEAKS

The report noted that Google’s new ad formats have been designed to redirect users to legitimate sources whenever they search for things like "download", "free" or "watch" alongside music and movie-related search queries.

The way advertisements are presented is also being tweaked, with links to legal streaming services and online shops presenting users with destinations when they use certain keywords. The new ad format will roll out first in the United States, but there are plans to implement it internationally as well.

"We ultimately removed 222M, which means we rejected or reinstated less than one percent after review because we either needed additional information, were unable to find the page, or concluded that the material was not infringing," the report said.

The top three sites where links were removed from the Google search results were RapidGator, 4Shared, and Dilandau. All of three are illegal websites with more than seven million takedown requests.

MORE NO. OF DMCA NOTICES = LESS SEARCH RANKING

The company has also stated that they will be removing more terms from its auto-complete search feature with many DMCA demoted sites, based on DMCA removal notices. "We’ve begun demoting auto complete predictions that return results with many DMCA demoted sites."

Moreover, Google is also implementing an “improved DMCA demotion signal” for search results. This means that websites with more number of DMCA notices for infringement will be automatically pushed down in the search engine rankings.

"Even for the websites that have received the highest numbers of notices, the number of noticed pages is typically only a tiny fraction of the total number of pages on the site," the new report said. "It would be inappropriate to remove entire sites under these circumstances."

We are sure that with these new changes to its anti-piracy policy, Google will be making combating piracy more efficient.

The Pirate Bay is the world's largest torrent tracker site which handles requests from millions of users everyday and is in the top 100 most visited websites on the Internet. Generally, The Pirate Bay is famous for potentially hosting illegal contents on its website.

Despite years of persecution, it continues to disobey copyright laws worldwide. Even both the founders of The Pirate Bay (TPB) file exchange service were arrested by the authorities and are in prison, but their notorious pirated content exchange continues to receive millions of unique visitors daily. That’s really Strange!! But how??

Recently, The Pirate Bay team has revealed how cloud technology made its service’s virtual servers truly secure to avoid police raids and detection.

While it doesn't own any physical servers, The Pirate Bay is working on “virtual machines” through a few commercial cloud hosting services, even without knowing that whom they are dealing with.

According to TorrentFreak report, at present The Pirate Bay has 21 virtual machines (VMs) that are hosted around the globe at different cloud provider.

The cloud technology eliminate the use of any crucial pieces of hardware, thus saved cost, guaranteed better uptime, and made the site more portable, and therefore made the torrent harder to take down.

The Pirate Bay operates using 182 GB of RAM and 94 GPU cores, with total storage capacity of 620 GB, which actually are not used in full.

Out of 21 VMs, eight of the VMs are used to serve web pages, six are dedicated to handling searches, while two VMs currently runs the site’s database and the remaining five virtual machines are used for load balancing, statistics, the proxy site on port 80, torrent storage and for the controller.

Interestingly, the commercial cloud hosting providers have no ideas that The Pirate Bay is using their services, because all traffic goes through the load balancer, which masks the activities of other virtual machines from the cloud providers. This clearly means that none of the IP-addresses of the cloud hosting providers are publicly linked to The Pirate Bay, so that should keep them safe.

While, in case of closure of some of these cloud servers by the police, it is always possible to move VMs to another location in a relatively short duration of time. Just like when back in 2006 in Sweden, police raided The Pirate Bay's hosting company, seizing everything from blank CDs to fax machines and servers, taking down the site. But, it took just three days to return in its normal state.

In the category of Ransomware Malware, a nasty piece of malware called CRYPTOLOCKER is on the top, that threatened most of the people around the world, effectively destroying important files of the victims.

Cryptolocker, which strongly encrypts victims' hard drives until a ransom is paid, is now again back in action to haunt your digital life with an additional feature.

Until now, CryptoLocker has been spread via spam email, with victims tempted to download an attachment or click on a link to a malicious website, but now it can spread itself as a worm through removable USB drives.

Security Researchers at Trend Micro have recently reported a new variant of Cryptolocker which is capable of spreading through removable USB drives.

As Previously reported by our Security experts at The Hacker News, Cryptolocker is a malware which locks your files and demand a ransom to release it. The files are encrypted so removing the malware from the system doesn’t unlock your files. The only way to get your files decrypted is to pay a demanded ransom amount to the criminals.

This new cryptolocker’s version is detected as WORM_CRILOCK. A, and can infect the computers by posing as key generator or activators for paid software like Adobe Photoshop, Microsoft Office on Torrent websites.

If CryptoLocker has already encrypted your files, then it will display a message demanding payment. Once installed on a system, it can replicate itself onto a USB drive and spread further and also if that infected system is connected to a network, the Cryptolocker work can look for other connected drives to infect them as well.

Other malware has employed similar tactics in the past, but CryptoLocker's encryption is much more secure and is currently not possible to crack. But the new Cryptolocker didn’t use DGA (domain generation algorithm), but instead relied on hardcoded command & control center details.

Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains. This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability.

Recommendations for users to defend against such threats:

Users should avoid using P2P i.e. Torrent sites to get pirated copies of software and stick with official or reputable sites.

Users should also be extremely careful about plugging USB drives into their computers. If you found one lying around, don't plug it in to see what may be on it.

Excitement continues .. Rockstar Games schedule the release of latest The Grand Theft Auto series, GTA 5 on September 17, but Cyber Criminals has already released a fake version of GTA 5 contains malware on torrent networks.

Romanian security firm BitDefender issued warning that GTA V hasn’t been leaked, and during installation you will be asked to complete a survey and send off a text message to gain the serial number. You will then be charged €1 per day on your phone bill and will be infected by a virus.

The PC version has yet to be announced, so trying to install it on your PC is a ridiculous idea; but that seems to be what a lot of people are doing.

"The survey opens in a web browser and, therefore, is able to perform a geographic redirect to the web page that corresponds to the area you are located in," said, Bitdefender Senior E-Threat Analyst Bogdan Botezatu.

This malware is a generic TrojanTrojan.GenericKDV.1134859, which can steal user information, tamper with system files or draft a computer into a botnet. This will result in you being charged for premium rate text messages sent by bogus firms.

The easiest way to avoid this malicious software is to not illegally download copies of GTA V, especially when the game isn't yet launched.

The UK High Court has ordered BSkyB, BT, Virgin Media and three other UK broadband providers to block access to three music and movie file-sharing websites Kickass Torrents, H33T and Fenopy.

Judge Richard Arnold said that these websites infringed 10 music companies copyrights on an industrial scale.

He granted an order to 10 record labels including EMI, Sony and Universal against six UK internet service providers requiring them to take measures to block or at least impede access by their customers to these three file-sharing websites.

"The orders are necessary and appropriate to protect the intellectual property rights of the claimants and other copyright owners." Judge said. The ISPs have been given 15 working days to block access to the sites. Each ISP will decide how to warn customers and subsequently attempt to curb alleged illegal file sharing activity.

Verizon decided to send a series of warnings to Internet users and after the fifth the alleged copyright infringer's Internet connection will be slowed significantly for up to three days.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

A Russian hacker going by name - "kOS" hack into the Bulgarian torrent tracker "Arenabg" website (http://forum.arenabg.com/) and leak the complete database of their forum and accused of collecting IP of users like PirateBay.

Hacker said, "Why I hack this tracker? Because they store IP information and NO tracker must do, not on any of their service - blog, forum, custom CMS or else. If ARENABG not fix mistake, I dump main tracker information with all IP/username/pass!"

Leaked Database include data of 22675 Users with their name, email, encrypted password and IP address and other forum based information.